diff --git a/docs/releasenotes.rst b/docs/releasenotes.rst
index 83390b6c2bbca692991b4385a83393ed5753e813..f49e5b5a24d0f20b882bb1134966bd1854540ab5 100644
--- a/docs/releasenotes.rst
+++ b/docs/releasenotes.rst
@@ -40,6 +40,13 @@ upgrade to Python 3.x, dropping support for Python 2.7.
     can now login into the database (as the root database user) via
     unix socket authentication.
 
+  * Role will drop the use of Debian system maintenance user
+    (``debian-sys-maint``) in favour of using the root account with
+    UNIX socket authentication if the database server has not already
+    been set-up in that manner. This is the default behaviour starting
+    from Debian Stretch, and the ``debian-sys-main`` will be present
+    only if the server has been upgraded from older releases.
+
 * ``ldap_server`` role
 
   * Parameter ``ldap_server_domain`` is now mandatory.
diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 3840399d205c77bbd201d575f79c19ed5bf1ea6e..ffd18b337b1f99fc52a00fb518f88e360cac0f6a 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -2002,6 +2002,10 @@ The role implements the following:
 * Configures MariaDB server and client to use *UTF-8* encoding by default.
 * Sets-up the database root user for passwordless login via UNIX
   socket authentication.
+* Drops the ``debian-sys-maint`` database user (which was used in
+  Debian Jessie and earlier for maintenance tasks) if it is present,
+  and updates the Debian system maintenance configuration file to use
+  the root account over unix socket authentication.
 
 
 Role dependencies
diff --git a/roles/database_server/files/debian.cnf b/roles/database_server/files/debian.cnf
new file mode 100644
index 0000000000000000000000000000000000000000..1ca3c71696c25566a1d006cff0371af19e4a4475
--- /dev/null
+++ b/roles/database_server/files/debian.cnf
@@ -0,0 +1,12 @@
+# Automatically generated for Debian scripts. DO NOT TOUCH!
+[client]
+host     = localhost
+user     = root
+password = 
+socket   = /var/run/mysqld/mysqld.sock
+[mysql_upgrade]
+host     = localhost
+user     = root
+password = 
+socket   = /var/run/mysqld/mysqld.sock
+basedir  = /usr
diff --git a/roles/database_server/molecule/default/tests/test_default.py b/roles/database_server/molecule/default/tests/test_default.py
index c4bcce1edb3772115c4296e339d63954e2190bd6..fe7698082e23b2cd3577a007ff96b9cd113f3ca5 100644
--- a/roles/database_server/molecule/default/tests/test_default.py
+++ b/roles/database_server/molecule/default/tests/test_default.py
@@ -123,3 +123,45 @@ def test_root_can_login_via_unix_socket_only(host):
 
         assert root_logins_with_unix_socket.rc == 0
         assert root_logins_with_unix_socket.stdout.strip() == "root	localhost"
+
+
+def test_debian_system_maintenance_user_is_absent(host):
+    """
+    Tests if the dedicated Debian system maintenance user is absent
+    (leftover from Debian Jessie and previous versions).
+    """
+
+    with host.sudo():
+        debian_system_maintenance_user = host.run("mysql -BNe %s", "select count(*) from mysql.user where user = 'debian-sys-maint'")
+
+        assert debian_system_maintenance_user.rc == 0
+        assert debian_system_maintenance_user.stdout.strip() == "0"
+
+
+def test_debian_system_maintenance_configuration_file(host):
+    """
+    Tests if the Debian system maintenance configuration file has been
+    set-up properly.
+    """
+    
+    with host.sudo():
+        config = host.file("/etc/mysql/debian.cnf")
+
+        assert config.is_file
+        assert config.user == 'root'
+        assert config.group == 'root'
+        assert config.mode == 0o600
+        assert "debian-sys-maint" not in config.content_string
+
+
+def test_debian_system_maintenance_configuration_file_can_be_used_for_login(host):
+    """
+    Tests if the Debian system maintenance configuration file can be
+    used for authenticating as the root user.
+    """
+
+    with host.sudo():
+        login = host.run("mysql --defaults-file=/etc/mysql/debian.cnf -NBe %s", "select current_user();")
+
+        assert login.rc == 0
+        assert login.stdout.strip() == "root@localhost"
diff --git a/roles/database_server/tasks/main.yml b/roles/database_server/tasks/main.yml
index a6fbdd5e9c5804e839728e92b8a2d51da15fc5fb..706f29de184ef79aae6fd4dc0f8947d3abc692bc 100644
--- a/roles/database_server/tasks/main.yml
+++ b/roles/database_server/tasks/main.yml
@@ -53,6 +53,26 @@
     path: "/root/.my.cnf"
     state: absent
 
+- name: Check if Debian system maintenance configuration file uses dedicated user
+  command: "grep -q 'user.*=.*root' /etc/mysql/debian.cnf"
+  register: debian_maintenance_configuration_uses_root
+  failed_when: false
+  changed_when: false
+
+- name: Deploy Debian system maintenance configuration file that uses root account
+  copy:
+    src: "debian.cnf"
+    dest: "/etc/mysql/debian.cnf"
+    owner: root
+    group: root
+    mode: 0600
+  when: "debian_maintenance_configuration_uses_root.rc != 0"
+
+- name: Drop the dedicated Debian system maintenance user
+  mysql_user:
+    name: "debian-sys-maint"
+    state: absent
+
 - name: Set UTF-8 encoding as default for MariaDB
   copy:
     src: "utf8.cnf"